use srvos for better defaults on linde/marvin
1 file changed, 29 insertions(+), 43 deletions(-)
changed files
M system/linde.nix → system/linde.nix
@@ -6,14 +6,14 @@ { config, lib, pkgs, ... }: with lib; let - netif = "enp1s0"; + netif = "eth0"; hostname = "linde"; net-ip4 = "116.203.248.56"; - net-mask4 = "32"; + net-mask4 = 32; net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-redisip = "2a01:4f8:c012:23a4::6379"; - net-mask6 = "64"; + net-mask6 = 64; net-gw6 = "fe80::1"; domain = "alanpearce.eu"; ts-domain = "hydra-pinecone.ts.net";@@ -56,9 +56,6 @@ file = ../secrets/golink.age; }; }; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.efiSysMountPoint = "/boot/efi"; time.timeZone = "Europe/Berlin";@@ -85,8 +82,6 @@ services.openssh = { enable = true; settings = { PermitRootLogin = "without-password"; - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; }; }; services.sshguard = {@@ -134,6 +129,7 @@ package = pkgs.nix-serve-ng; secretKeyFile = config.age.secrets.binarycache.path; }; + programs.vim.defaultEditor = false; programs.neovim = { enable = true; defaultEditor = true;@@ -144,7 +140,6 @@ networking = { hostName = hostname; inherit domain; - useDHCP = false; dhcpcd.enable = false; nameservers = [ "2606:4700:4700::1111"@@ -157,6 +152,30 @@ ${net-ip4} = [ "${hostname}.${domain}" hostname ]; ${net-ip6} = [ "${hostname}.${domain}" hostname ]; ${net-redisip} = [ "redis" ]; }; + defaultGateway = { + address = net-gw; + interface = netif; + }; + defaultGateway6 = { + address = net-gw6; + interface = netif; + }; + interfaces.${netif} = { + ipv4 = { + addresses = [ + { address = net-ip4; prefixLength = net-mask4; } + ]; + routes = [ + { address = net-gw; prefixLength = 32; } + ]; + }; + ipv6 = { + addresses = [ + { address = net-ip6; prefixLength = net-mask6; } + { address = net-redisip; prefixLength = net-mask6; } + ]; + }; + }; firewall = { enable = true; allowPing = true;@@ -188,44 +207,12 @@ enable = false; useLocalResolver = false; }; }; + services.cloud-init.network.enable = false; services.resolved = { enable = true; llmnr = "false"; dnssec = "true"; }; - systemd.network = { - enable = true; - networks.${netif} = - { - name = netif; - routes = [ - { - Gateway = net-gw6; - PreferredSource = net-ip6; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - { - Gateway = net-gw; - QuickAck = true; - InitialCongestionWindow = 30; - InitialAdvertisedReceiveWindow = 30; - } - ]; - address = [ - "${net-ip6}/${net-mask6}" - "${net-redisip}/${net-mask6}" - ]; - addresses = [{ - Address = "${net-ip4}/${net-mask4}"; - Peer = "${net-gw}/32"; - }]; - }; - wait-online = { - extraArgs = [ "--interface=${netif}" ]; - }; - }; services.tailscale = { enable = true;@@ -283,7 +270,6 @@ "net.ipv4.tcp_slow_start_after_idle" = false; }; - security.sudo.execWheelOnly = true; security.sudo.extraConfig = '' Defaults:root,%wheel env_keep+=EDITOR '';